- Facebook is warning its marketing partners against illicitly scraping users’ data.
- The warning comes after Business Insider revealed startup Hyp3r harvested millions of Instagram users’ data, saved their Stories, and tracked their locations.
- Instagram failed to notice Hyp3r’s actions, and had added it to its exclusive Facebook Marketing Partner list.
- Click here for more BI Prime stories.
Facebook is warning some of its closest marketing partners against illicitly scraping data after a buzzy startup was found to be saving personal information and tracking the locations of millions of Instagram users.
Late last week, after Business Insider revealed that San Francisco marketing firm Hyp3r had been harvesting huge volumes of data from Facebook-owned Instagram, Facebook emailed some of its Facebook Marketing Partners to reiterate its rules on handling user data.
“You may not access or collect data from us using automated means, without our prior permission. Automated means include harvesting bots, robots, spiders, or scrapers,” Facebook wrote in an email seen by Business Insider.
Data scrapping is a controversial practice that uses automated technology to systematically save information that people share publicly on social media, from users’ posts and photos to their profile details. Some argue that because the information has been shared publicly it’s fair game, but privacy advocates say collecting the data violates reasonable expectations about privacy — especially in the case of Instagram Stories, which are designed to disappear after 24 hours.
For Facebook, which is trying to repair its damaged reputation in the wake of the Cambridge Analytica scandal, safeguarding its users’ data from scraping and other misappropriation is paramount. And, as the case with Hyp3r illustrated, Facebook and Instagram’s protections have been somewhat lax.
Hyp3r monitors social media posts made at real-world locations like bars, stadiums, hotels, and gyms, and then uses that data to target people with personalised ads and help businesses engage with customers at their locations. But it built some of this functionality through unauthorized means, taking advantage of a security vulnerability in Instagram’s systems and of Facebook’s failure to properly vet it. As a result, it assembled detailed profiles on millions of Instagram users, monitoring their movements, and saving their Stories, which are supposed to disappear after 24 hours and not be available to developers.
Facebook failed to notice this activity, and even added Hyp3r to its exclusive list of Facebook Marketing Partners — a directory of vetted companies that “can give you superior insights and data for better marketing decisions.”
After Business Insider reached out to Instagram about Hyp3r’s activity, it issued the firm with a cease and desist, and Hyp3r has now closed down its platform, it said in an announcement on its website.
Facebook has also reached out to other Facebook Marketing Partners in the wake of the revelations, to inform them that it has removed a marketing partner, and to remind them of the platform’s rules. It cites four key rules:
“You may not access or collect data from us using automated means, without our prior permission. Automated means include harvesting bots, robots, spiders, or scrapers. You may not transfer any data, aside from Account Information, outside the app that has collected it, except to your service provider. You may not sell, license, or purchase any data obtained from us. You must protect the information you receive from us against unauthorized access, use, or disclosure.”
An Instagram spokesperson declined to comment.
Got a tip? Contact this reporter via encrypted messaging app Signal at +1 (650) 636-6268 using a non-work phone, email at email@example.com, Telegram or WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only, please.) You can also contact Business Insider securely via SecureDrop.
- Instagram’s lax privacy practices let a trusted partner track millions of users’ physical locations, secretly save their stories, and flout its rules
- Mark Zuckerberg’s personal security chief accused of sexual harassment and making racist remarks about Priscilla Chan by 2 former staffers
- Facebook says it ‘unintentionally uploaded’ 1.5 million people’s email contacts without their consent
- Years of Mark Zuckerberg’s old Facebook posts have vanished. The company says it ‘mistakenly deleted’ them.